CVE-2016-10034
critical
CVSS v3
9.8
CVSS v2
7.5
VIR risk
9.8
Description
zend-mail remote code execution via Sendmail adapter
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://framework.zend.com/security/advisory/ZF2016-04
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | zendframework/zend-mail | <2.4.11 | 2.4.11 |
| Packagist | zendframework/zend-mail | >=2.5,<=2.5.2 | |
| Packagist | zendframework/zend-mail | >=2.6,<=2.6.2 | |
| Packagist | zendframework/zend-mail | >=2.7,<2.7.2 | 2.7.2 |
References
- http://www.securityfocus.com/bid/95144
- http://www.securitytracker.com/id/1037539
- https://framework.zend.com/security/advisory/ZF2016-04
- https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
- https://security.gentoo.org/glsa/201804-10
- https://www.exploit-db.com/exploits/40979/
- https://www.exploit-db.com/exploits/40986/
- https://www.exploit-db.com/exploits/42221/
- https://nvd.nist.gov/vuln/detail/CVE-2016-10034
- https://github.com/zendframework/zend-mail
- https://www.exploit-db.com/exploits/40979
- https://www.exploit-db.com/exploits/40986
- https://www.exploit-db.com/exploits/42221
CWEs
CWE-77
Verify integrity in audit chain (admin only). AS-IS.